WordPress “Max Banner Ads" Plug-in XSS (Cross-site Scripting) Security Vulnerabilities

WordPress “Max Banner Ads" Plug-in XSS (Cross-site Scripting) Security Vulnerabilities

 

Exploit Title: WordPress “Max Banner Ads" Plugin /info.php &zone_id Parameter XSS Security Vulnerabilities

Product: WordPress “Max Banner Ads" Plugin

Vendor: MaxBlogPress

Vulnerable Versions: 1.9  1.8   1.4   1.3.*   1.2.*   1.1   1.09

Tested Version: Check All Related Versions’ Source Code

Advisory Publication: Mar 04, 2015

Latest Update: Mar 04, 2015

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference: *

Credit: Wang Jing [CCRG, Nanyang Technological University (NTU), Singapore]

 

wordpress_max_banner

 

Advisory Details:

 

(1) Vendor & Product Description:

 

Vendor:

MaxBlogPress

 

Product & Version:

WordPress “Max Banner Ads" Plugin

1.9  1.8   1.4   1.3.*   1.2.*   1.1   1.09

 

Vendor URL & Download:

WordPress “Max Banner Ads" Plugin can be downloaded from here,

http://www.maxblogpress.com/plugins/

 

Product Introduction:

“Easily add and rotate banners in your wordpress blog anywhere you like without editing any themes or touching any codes"

 

 

 

(2) Vulnerability Details:

WordPress “Max Banner Ads" Plugin has a web application security bug problem. It can be exploited by XSS (Cross-site Scripting) attacks.

 

(2.1) The vulnerability occurs at “info.php?" page with “zone_id" parameter.

 

 

 

 

 

References:

http://tetraph.com/security/xss-vulnerability/wordpress-max-banner-ads-plug-in-xss-cross-site-scripting-security-vulnerabilities/

http://securityrelated.blogspot.com/2015/03/wordpress-max-banner-ads-plug-in-xss.html

http://www.inzeed.com/kaleidoscope/computer-web-security/wordpress-max-banner-ads-plug-in-xss-cross-site-scripting-security-vulnerabilities/

http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/wordpress-max-banner-ads-plug-in-xss-cross-site-scripting-security-vulnerabilities/

https://itinfotechnology.wordpress.com/2015/03/04/wordpress-max-banner-ads-plug-in-xss-cross-site-scripting-security-vulnerabilities/

http://lists.kde.org/?a=139222176300014&r=1&w=2

 

Leave a comment

你的電子郵件位址並不會被公開。 必要欄位標記為 *

你可以使用這些 HTML 標籤與屬性: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>